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Abstract 

The Pollard p algorithm is a widely used algorithm for solving 
discrete logarithms on general cyclic groups, including elliptic curves. 
Recently the first nontrivial runtime estimates were provided for it, 
culminating in a sharp 0(y/n) bound for the collision time on a cyclic 
group of order n [4j. In this paper we show that for n satisfying a mild 
arithmetic condition, the collisions guaranteed by these results are 
nondegenerate with high probability: that is, the Pollard p algorithm 
successfully finds the discrete logarithm. 

Keywords: Pollard Rho algorithm, discrete logarithm, random walk, 
expander graph, collision time, mixing time, spectral analysis. 

1 Introduction 

The Pollard p algorithm is, to date, the leading algorithm for solving discrete 
logarithm problems on general groups, including elliptic curves. The algo- 
rithm can be stated as follows. Let G be a cyclic group of order n generated 
by the element g; n may assumed to be a large prime because of the Pohlig- 
Hellman reduction pQ. Let h = g y be the element whose discrete logarithm 
?/ / 1 (unknown) is to be found, and let Xq = h or a random power g Tl h r2 
(which turns out to be only slightly less general). Let G = Si U 52 U S3 be a 
random partition of G into three disjoint subsets, in which each element has 
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a 1/3 probability of belonging to each Sj\j Define an iteration x fc+1 = /(x^), 
where 

{gx, x e Si; 
hx, x e 5 2 ; (1.1) 
x 2 , x £ S 3 . 

At each stage Xk may be written as g ak y +bk ; where the coefficients a^,^ G 
Z/nZ are known. Iterate until a collision of values = has been found, 
and if the collision is "non-degenerate" (meaning (a&, &&) 7^ (a^, 5^)), solve for 
the discrete logarithm using the formula y = be ~ bk . 

o*k~ a e 

The algorithm is conjectured to run in time 0(y/n) with high probability. 
It is the only such algorithm which uses small memory and which works for 
general groups. Though faster algorithms are known for specific incarnations 
of cyclic groups^, a theorem of Victor Shoup [7] asserts that no algorithm on a 
general group can be faster - aside from improving the implied multiplicative 
constant. For it to be successful, two things must happen: 

1. A collision must be found in time 0{\/n). 

2. This collision must be non-degenerate. 

Item 1 has been the subject of a number of recent papers, before which there 
were no nontrivial bounds on the runtime at all. First, a collision time of 
0(\/n(logn) 3 ) was shown in [5], which was successively improved by [3] and 
[I] to the optimal 0{^/n) bound. 

The purpose of this paper is to address Item 2 for the Pollard p algorithm 
(it is, however, settled for some variants of Pollard p, as in [2]). Unfortunately 
as of yet we are unable to make the result unconditional, for it depends on 
the multiplicative order of 2 modulo n (the least positive integer k such that 
2 k = 1 (mod n)). We prove the following result, which is a complete runtime 
analysis for almost all group orders n: 

^dn practice, the assignment is accomplished using a hash function which is expected to 
behave randomly, as storing the partitions themselves would take up too much memory. 
A formal model would assume a cryptographically strong pseudo-random function whose 
underlying cryptographic primitive would have a security estimate exceeding the runtime 
of the Pollard Rho algorithm. Such implementation details to justify the random walk 
model used in our analysis are well understood. 

2 For example, index calculus provides a subexponential algorithm on the group F*, 
which is abstractly isomorphic to a cyclic group of order n = p — 1. Note that this is 
not itself an example of a prime order cyclic group as treated above: one must apply the 
Pohlig-Hellman reduction first. 
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1.2 Theorem. Consider the Pollard p algorithm as above on a group G = (g) 
of prime order n, starting at a random point Xq = g ri h r2 . Suppose that 
the multiplicative order of 2 modulo n is at least co(logn) 3 , where cq is the 
absolute constant coming from Proposition ^. 18\ Then any Pollard p collision 
occurring before time T is nondegenerate with probability at least 1 — |^-. 
In particular, the collisions guaranteed by [4] to occur with high probability 
within time 0(y/n) are nondegenerate with probability at least 1 — O(^). 

Remarks: 1) Though the probability of nondegeneracy is heuristically higher 
than that of collisions, in practice it has been much more difficult to prove 
nondegeneracy. 

2) The multiplicative order of 2 modulo n is typically quite large, e.g. it 
equals n — 1 if 2 generates (Z/nZ)*, which it frequently does. There do exist 
primes with multiplicative order the size of logn (e.g. Fermat and Mersenne 
primes), but those disobeying the condition in the theorem are quite rare. 
Indeed, we show in Lemma \3. 31 that at most 0((logX) 5 ) such primes p exist 
in the range X < p < IX . 

3) Even if 2 has small multiplicative order modulo n, there is always 
a prime I = 0((logn) 6 (loglogn)) which has multiplicative order at least 
co(logn) 3 . This is because a cyclic group has at most L? elements of order 
< L. (We thank the referee for supplying this argument.) If the Pollard p 
algorithm is modified to replace the squaring step by x i— > x instead, the 
analysis here and in [3H5] applies and gives a completely rigorous proof of 
the same 0(y/n) runtime, with the same 1 — O(-) success rate. 

4) The reason we need to assume a random starting point, unlike in [5], 
is that we cannot rule out degeneracies in collisions occurring within the 
first few steps. Lemma 13.11 in particular, applies only to random starting 
points. Once the algorithm has proceeded for co(logn) 3 steps a random point 
is reached regardless of the starting point, but we cannot guarantee a random 
position before then. 

The strategy of the proof starts with the viewpoint that the Pollard p iter- 
ation can be modeled as a pseudo-random walk on the "Pollard p graph" : the 
graph whose vertices are elements of G, and whose (directed) edges have the 
form 

x — > xg, xh, or x 2 . (1.3) 

Indeed, until a collision occurs the iteration by fll.l[) is in fact a random 
walk, because the destination from a vertex x depends only on its random 
assignment to one of the Sj] however, it is important that the walk is no 
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longer random after this point, for it enters a loop. The coefficients (a^, b^) G 
(Z/nZ) 2 meanwhile likewise can be modeled as a random walk (until the time 
of collision) on the following "Pollard p coefficient graph" : 



This graph maps onto the graph f 1 1.3 1) by (a, b) \— > g a y +b ^ where y is the (secret 
and unknown) exponent of h = g y . 

Our argument has two main ingredients. The first is a spectral upper 
bound on the mixing time of this graph, which roughly speaking shows that 
the coefficients (ctfc, bk) become equidistributed after a small number of steps. 
This is very similar to the argument in [5j to guarantee collisions among the 
Xk- That alone, however, is not enough to show nondegeneracy: it is impor- 
tant to note that undirected 3-regular graphs can have this equidistribution 
feature, while simultaneously having (ak,bk) equaling (afc+2,^+2) with prob- 
ability > 1/3 (for example, going backwards on the edge just traveled). The 
second ingredient, an estimate on the number of short cycles, handles this. 
It is this part which depends on the condition on the multiplicative order of 
2 modulo n, and hence which is not completely general. 

We conclude this section with the proof of Theorem 11.21 which depends 
on estimates of the last two sections. Section 2, roughly speaking, deals 
with long random walks, while Section 3 with short random walks. The 
condition on the multiplicative order of 2 modulo n is needed to make sure 
their intervals of applicability overlap. 

Proof of Theorem [77E Once a collision occurs, all future collisions are non- 
degenerate if and only if the first one was; this is because of the invertibility 
of the steps in (11.41) . Thus, it suffices to assume that no collision has oc- 
curred until time T, which allows us to model the coefficients (a&, bk), k < T, 
using a random walk on (11.41) . Because the starting point xq = g ri h r2 is 
uniformly distributed and walk up to time T is random, the values of each 
(ak,bk) are themselves uniformly distributed. We show in Proposition 12.181 
and Lemma 13.11 that for any m > and a random point (a, b) G (Z/nZ) 2 , 
a random walk of length m starting at (a, b) ends at (a, b) with probabil- 
ity at most |-2. By the union bounds, the probability of a degeneracy 
(a*;, bk) = (d£, be) occurring for some distinct k, £ < T is bounded above by 



(a, b) 



(a + l,b), (a, b + 1), or (2a, 26). 



(1.4) 




< 



3T 2 
2^2 ' 



(1.5) 
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It is a pleasure to acknowledge Ravi Montenegro, Ze'ev Rudnick, Adi 
Shamir, and Prasad Tetali for their helpful discussions. We also thank Curt 
McMullen for helpful comments concerning the remark at the end of Sec- 
tion [21 and the anonymous referee for their suggestions for improving the 
paper, in particular Remark 3 above. 

2 Mixing time estimates 

Let A denote the adjacency operator of the graph (II. 4ft : it is defined on 
complex-valued functions / on (Z/raZ) 2 by the formula 

Af(a,b) = /(2a, 26) + /(a + 1,6) + /(a, 6+1). (2.1) 

Such functions themselves form a complex vector space of dimension n 2 , 
which is equipped with the usual inner product and norm 

(fi,h) = £ /x(a,6)^M) , ll/H 2 = (/,/). (2.2) 

a,beZ/nZ 

Of special interest to us is the restriction of A to l -1 , the orthogonal comple- 
ment of the constant function 1 (the functions on the graph whose average 
value is zero). The following result relates the operator norm properties of 
this restriction of A, to the mixing properties of the random walk on the 
graph: 

2.3 Lemma. Lemma 2.1]) Let T denote a directed graph on the vertex 
set V , having both d directed edges entering and exiting each vertex (including 
multiplicity). Suppose that there exists a constant fi < d such that ||A/|| < 
HI /II f or a M / ^ l" 1 - Let S be an arbitrary subset ofV. Then the number of 
paths of length r > j^B^rj) which start from any given vertex and end in S is 

between ^d r ]$\ and |<i r j^|- 

Thus sufficiently long random walks hit a set S with probability between 

1 \S\ S I S I 

2|yy and 5|yj, independent of their starting point. Unfortunately this Lemma 
does not apply directly to our situation, because it can happen that \\Af\\ = 
ll/H for some functions /. However, to show that random walks mix it suffices 
to work two steps at a time; fortunately, a nontrivial operator norm estimate 
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applies to A 2 instead, which corresponds to the adjacency operator for the 
graph on (Z/nZ) 2 with edges 

(a, 6) — ► (4a, 46), (2a + 1, 26), (2a, 26+1), (2a + 2, 26), (2a, 26 + 2), 

(a + 1, 6 + 1), (a + 1, 6 + 1), (a + 2, 6), or (a, 6 + 2). (2.4) 



2.5 Proposition. With A denoting the adjacency operator of the graph \1.4\ ) 
and the standing assumption that n is an odd prime, there exists an absolute 
constant c > such that 



11*711 < 3-- - 2 H/ll , / a 1 . (2.6) 

V (logn)V 

Proof. Any function / on the vertices may be expanded in terms of the 
additive characters Xk,e{ x >y) — e 2m( - kx+£y ^ n : 

f = ^2 C k/Xk,e- (2.7) 

The condition that / G l -1 is equivalent to co,o = 0. The action of A on the 
character Xk,i is given by 

Axk/ = d k)i Xk,e + X2k,2i, (2.8) 

where 

Thus A is the sum of the diagonal operator D : Xk,t l— > dk,tXk,t an d the 
permutation operator P : Xk,t ^ X2k,2£- The adjoint of A under the inner 
product (T22D is A* = D + P~ x . Let us write 

A* 2 A 2 = (D 2 + P^D + DP- 1 + P' 2 )(D 2 + PD + DP + P 2 ) 

i z. iu j 

= *i + A 2 , 

where X\ = D 2 PD + -DP, and X2 is the remaining sum of 14 terms from 
the expansion of the first line. Because \dk^\ = 2| cos(^^-^)| < 2 and in fact 
equals 2 when k = £, the operator norms of D and D are ||D|| = \\D\\ = 2. 
Likewise ||P|| = ||-P _1 || = 1, because P preserves norms. It follows from the 
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sum of 14 terms defining X 2 that ||X 2 || < 71. Using this fact and Cauchy- 
Schwartz, we get the bound 

||i4 2 /ir = (f,A* 2 A 2 f) < 71H/II 2 + \(f,(D 2 PD + DP)f)\. (2.11) 
In order to prove (I2.6P it now suffices to show the bound 



\(f,(D'PD + DP)f)\ < 10 



(logn) 2 

c \ ^ ( 2 - 12 ) 
(logn) 2 / ^— ' 



\ c kl\ 



for some absolute constant c > 0. Here we have used (12.7ft as well as the 
inner product relation 

i-v v \ / n2 ' (M) = (*V) r9i^ 

- \ 0, otherwise. (2 ' 13) 

Since 



(D~PD + DP)xk,e = Vk,eX2k,2e , Hk,e = d 2k ,2e d k/ + d 2k ,2e, (2.14) 
we have that 

\(f,(D 2 PD + DP)f)\ < n 2 J2 KelhkMWA- ( 2 - 15 ) 

We now group the indices (k, £) ^ (0, 0) into the n + 1 lines through the 
origin in (Z/nZ) 2 . Using the bounds 

\^k,e\ < 8 -h 2 1 cos 2 ( fc ~ £ ) 7r | ( for the lines with k ^ £ , 



n 

kiv I 



W,k\ < 6 + 4|cos^ 



(2.16) 



and the fact that 2 is invertible modulo n, the desired bound (12.121) reduces 
to the estimates 

n—1 n— 1 

k=l k=l 
n-1 , d \ 

/ Xk %2k I cos —I < ( 1 — 7: r^r ) x? , for some absolute d > 0, 

ifcl V (fog™) 2 / ^ 

(2.17) 

for any real numbers xi, . . . , x n _i. The first inequality follows from x k x 2k — 
\{x\ + x 2k ), and the second is proven in [5J Prop. 3.1]. □ 



Combining these, we have shown 



2.18 Proposition. There exists an absolute positive constant Cq such that 
the number of paths of length r > co(logn) 3 on the graph ( TTjP which begin 
at the vertex (a,b) and end at the vertex (a',b') is between |^ and In 
particular, the probability of a random walk of length r > Co(logn) 3 ending 
at its starting point is at most 

Remarks: This mixing time estimate for the random walk can also be proven 
using the method of canonical paths from [6]. 

Interestingly, the mixing time estimate for the Pollard p graph ( 11. 31) in [5] 
does not need the step x — *> xh: the steps ihij and x \— > x 2 suffice. This 
follows from the same method of proof, and is suggested by the heuristic that 
the x I— > xh step is approximated by the other two. However, the Pollard 
p coefficient graph does not rapidly mix unless all three steps in ( ll.4p are 
present. In any case, all three steps are necessary for the execution of the 
Pollard p algorithm. 

3 Trace estimates 

3.1 Lemma. If k > 1 is less than the multiplicative order of 2 modulo n, 
then there are precisely 3 k — 2 k closed cycles on the graph ( |i.^| ) of length k. In 
particular, if (a,b) is a random point in (Z/nZ) 2 , the probability is at most 
^2 that a random walk of length k which starts at (a,b) also ends at (a,b). 

The number of such cycles is also given by tr A k , where A is the adjacency 
operator of the graph. The above estimate, however, does not seem to follow 
from the spectral techniques of the previous section. 

Proof. Every path involves either doubling the coefficients (a,b), or adding 
1 to one of them. Thus all paths of length k starting from the vertex (x, y) 
have the form 

T : (x,y) ^2 s (x,y) + (u,v) , (3.2) 

where s < k equals the number of doubling steps in the path, and u,d£ Z/nZ 
are independent of x and y . (This characterization obviously holds for k — 1, 
and in general by induction.) A closed cycle is equivalent to a fixed point for 
T. Of the 3 k possible paths starting from (x,y), exactly 2 k have s = 0. For 
those walks, (u,v) ^ (0,0) since all steps are of the form (a, b) \— > (a+ 1,6) 
or (a, b + 1). Thus T has no fixed points in this situation. 
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However, if s 7^ then 2 s is not congruent to 1 modulo n because of 
the multiplicative order condition. In this situation, T has exactly one fixed 
point. The closed cycles come from these 3 fe — 2 k cases. □ 

This concludes the estimates necessary for the proof of Theorem 11.21 We 
conclude with the following lemma, which shows that primes for which 2 has 
multiplicative order smaller than its condition co(logn) 3 are extremely rare. 

3.3 Lemma. Let X > 0, c > 0, and B the set of primes p in the inter- 
val [X, 2X] such that the multiplicative order of 2 modulo p is bounded by 
c(logX) 3 . Then the size of B is bounded by 

\B\ < ^W)=. (3.4) 

Proof. The condition on p G B states that p divides rifc<c(iogX) 3 (2 fc ~ !)• 
Primality therefore implies that 

Y[p divides Yl ( 3 - 5 ) 

peB fc<c(logX) 3 

and in particular satisfies 

< Y[p < 11 (2 fc -l) < 2 E , (3.6) 

peB k<c(logX) 3 

with 

E = k ^ 7f 2 ( lo g*) 6 ' ( 3 - 7 ) 

fc<c(logX) 3 

implying (13.41) . □ 

In fact this proof shows something slightly stronger, that the bound (13.41) 
holds for the number of primes at least X whose multiplicative order is 
bounded by c(logX) 3 . 
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